Date: Thu, 19 Apr 2007 15:55:23 +0300 (EEST) From: "Prokofiev S.P." <proks@logos.uptel.net> To: freebsd-ipfw@freebsd.org Subject: IPFW Stateful behaviour (fwd) Message-ID: <20070419140348.E15761@logos.uptel.net>
next in thread | raw e-mail | index | archive | help
Forwarding to freebsd-ipfw to get a especial ipfw audience. Hi ALL! The PF has useful state-policy option: if-bound, group-bound, floating. I have found out IPFW stateful rules do not become attached to the interface and behave as PF stateful rules in floating mode. For example, I build stateful rules (29991,31991) on two interfaces for two different networks. I send a packet "pkt" from a network net_staff1 to a network net_staff2. It creates stateful rule on enter if1, then it gets access to the net_staff2 on output from the if2 by a keep-state 31991 rule. Deny rule 31995 does not work. Has solved this problem by tag and skipto (29990,31990), but it is not absolutely beautiful and useless. Whether other decisions are possible? +-----------------+ | if1 O----net_staff1 | |-----<----pkt ----INET---O if0 | | |----->----> | if2 O----net_staff2 +-----------------+ ipfw add skipto 29000 ip from any to any via $if1 // 4 bypass another iface ipfw add skipto 31000 ip from any to any via $if2 // 4 bypass another iface ############## IF1 29000 N_DA=29995 ipfw add 29990 skipto $N_DA log ip from any to any via $if1 tagged 65534 // bypass another stateful ipfw add 29991 allow tag 65534 log ip from $net_staff1 to any via $if1 in keep-state // stateful ipfw add $N_DA deny log ip from any to $net_staff1 via $if1 out ipfw add 29999 skipto 65000 ip from any to any via $if1 ############## IF2 31000 N_DA=31995 ipfw add 31990 skipto $N_DA log ip from any to any via $if2 tagged 65534 // bypass another stateful ipfw add 31991 allow tag 65534 log ip from $net_staff2 to any via $if2 in keep-state // stateful ipfw add $N_DA deny log ip from any to $net_staff2 via $if2 out ipfw add 31999 skipto 65000 ip from any to any via $if2 PS: I would like to propose make an opportunity to change behaviour ipfw stateful rules like it is made in pf. Sorry for my English.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070419140348.E15761>